Bluetooth attacks can remotely unlock Teslas and smart locks
Security researchers have demonstrated a new Bluetooth relay attack that can remotely unlock and operate some Tesla vehicles.
The vulnerability lies in Bluetooth Low Energy (BLE), the technology used by Tesla’s entry system that allows drivers with the app or key fob to unlock and operate the car nearby. Most devices and vehicles that rely on this type of proximity-based authentication are designed to protect against a variety of relay attacks, which typically work by intercepting the radio signal used to unlock a vehicle, for example, and replaying it as if it was an authentic request, using encryption and introducing checks that could make relay attacks more difficult.
But researchers at UK-based NCC Group say they have developed a tool to carry out a new type of BLE link-layer relay attack that bypasses existing mitigations, theoretically allowing attackers to remotely unlock and operate vehicles.
Sultan Qasim Khan, a senior security consultant at NCC Group, said in a blog post that it tested the attack against a 2020 Tesla Model 3 using an iPhone 13 mini running a newer but older version of the Tesla app. The iPhone was placed 25 meters away from the vehicle, according to the researchers, with two relay units between the iPhone and the car. Using the tool, the researchers were able to unlock the vehicle remotely. The experiment was also successfully replicated on a 2021 Tesla Model Y, which also uses “phone-as-a-key” technology.
While the attack was demonstrated against Tesla vehicles, Khan notes that any vehicle that uses BLE for its keyless system could be vulnerable to this attack. In a separate advisory, NCC Group warns that the attack could also be used against the Kwikset and Weiser Kevo series of smart locks, which support BLE passive entry through their “touch-to-open” functionality.
In a video shared with TechCrunch, Khan can be seen walking up to the Tesla Model Y with a laptop computer with a relay unit attached, allowing him to wirelessly unlock the car and open the door.
“Our research shows that systems people rely on to protect their cars, homes and private data use Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware,” Khan said.
The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group (SIG), an industry group that oversees the development of the Bluetooth standard, which acknowledged the problem but said that relay attacks were a known problem with Bluetooth. Tesla officials also said relay attack was a known limitation of the passive input system. Tesla did not respond to TechCrunch’s request for comment. (Tesla scrapped its PR team in 2020.)
“The NCC Group recommends that the SIG proactively advises its members developing proximity authentication systems about the risk of BLE relay attacks,” Khan added. “Additionally, documentation should make clear that relay attacks are practical and must be included in threat models, and that neither link-layer encryption nor expectations of normal response timing are defenses against relay attacks.”
The researchers encourage Tesla owners to use the PIN to Drive feature, which requires a four-digit PIN to be entered before the vehicle can be driven, and to disable the passive entry system in the mobile app.
Tesla is no stranger to security flaws. Earlier this year, a 19-year-old security researcher said he was able to remotely access dozens of Teslas around the world because security flaws found in an open-source logging tool popular with Tesla owners exposed their cars directly to the internet.
